lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jul 19 02:55:24 2005
From: fdlist at digitaloffense.net (H D Moore)
Subject: Advice RE Site Exploit

It doesn't work that way ;-) You either get to abuse the bug or tell the 
them about it; trying to do both is what gets people put into jail. In 
your communication with the company, you could always ask for a discount 
on your service or some other perk (in a polite and non-demanding way), 
but IMO thats as far as you can go without it looking like extortion.

If you left your wallet in your car with the windows down and someone 
walks up to you and tells you about it, you will have one of two 
reactions. You will be happy that someone seemed concerned for your 
well-being or pissed off that some jerk was looking into your car in the 
first place. The reaction is going to depend on how you are approached 
and what they say. If they immediately ask for $10 on the grounds that 
they could have just taken your entire wallet, you might be motivated to 
break their face. Just because someone has the potential to rob you 
doesn't mean that you should be grateful to them if they don't :-) 

-HD

On Monday 18 July 2005 19:22, David Wilde wrote:
> Hello All,
>
> Long time lurker.  I have recently come across a rather significant
> (IMHO) exploit to gain access to a significant number of accounts held
> by one of the two satellite tv companies in the US.  I of course want
> to do the right thing (TM), but I also would like a free lifetime
> subscription to all of the channels with hardware upgrades at my
> discression :)  What is the best way of informing the company of my
> discovery and my wishes with the ultimate goal of 1) not going to jail
> being labeled a terrorist and threat to national security, and 2)
> getting what I want?
>
> TIA
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ